[sudo-users] Question on functionality

Thu Jan 17 23:45:26 EST 2008

As long as we are on the topic of prompts...

change their prompt to look like this:
# joe at prodsys:/usr/local/directory
# _

Or something like that.  The point I am making is to use # as the
first character.  Then if they have an errant cut and paste, they are
more likely to paste in something that starts with a pound sign and it
will be seen as a comment to the shell.

I wish xterm (and friends) had a mode where it would not allow a paste
that contained a newline.

-- 
Michael Potter

On Jan 17, 2008 10:38 PM, Phil Wild <philwild at gmail.com> wrote:
> Thanks for the response Michael,
>
> I was after a little bit of both. I don't want to make it hard for
> them to do their job. What we have done is taken a more simplistic
> approach and made sure that if they are on a production system, the
> background is red (set in their prompt). Hopefully that is enough.
>
>
>
>
>
>
> On 18/01/2008, Michael Potter <pottmi at gmail.com> wrote:
> > I am just thinking outloud here, but here are some ideas...
> >
> > Correct me if I am wrong, but what you are after is not really
> > absolute security, but a way to help the dbas from doing something
> > "stupid".
> >
> > Rather than renaming sudo, I would compile sudo with the #define
> > changed that defines the location of the sudoers file.  Then you would
> > rename the newly compiled sudo, to the hostname.  then you could
> > create a specific sudoers file for oracle work and leave the regular
> > sudoers files for system work.
> >
> > You would not list the dbas in /etc/sudoers so they could not use sudo.
> >
> > You may also want to consider NOT doing this with sudo.  You could
> > create a perl script that would do the checking you want and run the
> > command.  perl has outstanding support for setuid scripts (giyf: perl
> > taint mode).
> >
> > For instance, in perl you could do things like check the time of day
> > and only allow commands to be run in production during certain times
> > of the day or when certain conditions are met.
> >
> > --
> > Michael Potter
> >
> >
> > On Jan 13, 2008 10:13 PM, Phil Wild <philwild at gmail.com> wrote:
> > > Hello sudo-users,
> > >
> > > I am new to the list but have used sudo for simple task previously.
> > >
> > > I have a requirement to use sudo to protect production systems. We had
> > > an issue where a dba ran a command on a production host that he was
> > > supposed to run elsewhere. We are trying to come up with a way of
> > > making it hard for this type of thing to happen again.
> > >
> > > What I want to do is:
> > >
> > > Turn the oracle account into a role and remove the password.
> > > Set up the dba's so that they can run everything they want bar a
> > > certain list of commands as the oracle user.
> > > Allow them to do this without a password
> > >
> > > I am then going to rename sudo to the hostname so to run anything on
> > > the host they log into the host and type "hostname command parameters
> > > etc etc". This is going to be a bit painful will ensure they run what
> > > they run where they expect it to run...
> > >
> > > I think all the above is possible but I would be interested in
> > > comments on the concept...
> > >
> > > Also, the dba's set environment variable which point them to a target
> > > database for interactive commands. Any ideas on a way to handle this
> > > as I assume they will not be passed through the sudo command?
> > >
> > > Cheers
> > >
> > > Phil
> > >
> > > --
> > > Tel: 0400 466 952
> > > Fax: 0433 123 226
> > > email: philwild at gmail.com
> > > ____________________________________________________________
> > > sudo-users mailing list <sudo-users at sudo.ws>
> > > For list information, options, or to unsubscribe, visit:
> > > http://www.sudo.ws/mailman/listinfo/sudo-users
> > >
> >
>
>
> --
>
> Tel: 0400 466 952
> Fax: 0433 123 226
> email: philwild at gmail.com
>